I guess we all know what Metasploit is, so we don't really need to
present to the reader the basics of Metasploit. But it's still useful if
we present the type of modules the Metasploit has. Metasploit has the
following types of modules:

Auxiliary Modules: perform scanning and sniffing and provide us with
tons of information when doing a penetration test.

Post Modules: gather more information or obtain more privileges on an
already compromised target machine.

Encoders: used to encode the payload being used for it to not be
detected by the anti-virus software programs.

Exploits: used to actually exploit a specific host.

Payloads: are the actual instructions that will be executed on the
target host. Payloads can be divided between singles that can be used
standalone, like adding a user to the system. There are also stager
payloads, that usually set-up a network connection between the victim
and attacker and the stages payloads that are downloaded by the
stager payloads. The stagers and stages provide execution of multiple
payload stages that can be used whenever we don't have enough space
to use within certain vulnerability, but would still like to execute
a certain payload on the target system.

Q on Github

The Q Metasploit Exploit Pack is a collection of modules gathered across
time, which were not accepted into the main Metasploit trunk. Currently
the Q trunk only contains two auxiliary modules and four post modules,
which we'll look into in the rest of the article.

To use the Q exploit modules, we could download the individual modules
manually and include them in the system's Metasploit modules path, but
there's a better way. First we need to clone the repository as follows:

# git clone https://github.com/mubix/q.git

Afterwards, the q/ directory will be created to hold all the files and
folders in the git repository. We can copy the q/modules/ directory
under the ~/.msf4/modules directory and run msfconsole command,
which will load system modules as well as user defined modules.
Alternatively we could load the modules by using the -m option with
msfconsole, which would also load all the system as well as user
modules. Another option of loading the directory is by using the
loatpath /path/to/modules command when the msfconsole is already
running.

In our case we copied the modules to the ~/.msf4/modules/ directory and
run msfconsole as follows:

The Metasploit was loaded successfully (note the msf>), but some modules
within the Q exploit pack were not loaded successfully. We can see that
passwd-shadow-ssh-jacker-shell.rb and netcrafting.rb didn't compile
correctly. We looked up the code for the two modules and corrected the
mistakes made by the module author. In the
passwd-shadow-ssh-jacker-shell.rb module, there's one end directive
missing on the line 73, which terminates the else statement. After
adding it, the file should compile successfully; if you're trying to
compile it with ruby passwd-shadow-ssh-jacker-shell.rb, you should note
that the error about not being able to load msf/core is normal, since
those files are not in the system path (but they can be loaded by the
Metasploit just fine). The netcrafting.rb module contains additional
comma on the line 68; after removing the comma, the module should also
compile successfully.

After the mistakes are corrected, we should be able to load Metasploit
without any errors, which can be seen in the output below:

We can see that we've gotten quite some information about the Google
netblock, but there are also entries in there that do not belong to
Google. We can get the same information if we visit the webpage
apps.db.ripe.net and
click on the "Query" and "Full Text Search (GRS)" links in the menu on
the right side of the page. We can see that in the picture below:

The NetcRafting Module

This modules provides us with results for all the sites, it's netblock
where the site belongs to and the operating system running that web
site. All we need to do is enter the company name in a variable KEYWORD
and run the module. It will automatically return the results as shown
below:

We can get the same result if we visit the webpage
netcraft and search for a keyword
Google as can be seen in the picture below:

There are more than 300 entries, but only seven of them have been shown
in the picture above. With this query we can get more information about
the domain names the company is using as well as their operating systems
and the time when they have first been seen on the Internet (although
this is only available on the online version of the search query, and
not in a Metasploit module).

The Passwd-shadow-ssh-jacker-meterpreter Module

This is a post exploitation module that can be used on Linux systems
when the session to the target machine is already set-up. It tries to
download /etc/passwd, /etc/shadow and SSH keys from the target machine.
It automatically finds the .ssh folder and tries to download the keys in
it, but it might not be successful, because the user the session is
running under might not have enough permissions.
I guess this module is there just for convenience, because if we
already have a session open, we can download those files manually with
ease.

An example of showing the options the module uses can be seen in the
output below:

This module is a post exploitation module that can be run on Windows. It
can download OpenVPN profiles that can be imported into the OpenVPN
client. This module can be used when we already have an open session,
which we can interact with. I guess if we already have a session we can
also do this manually with ease, so additional module is there just to
make things a little easier.

An example of using and showing options the module accepts can be seen
below:

We've seen how the Q exploit pack for Metasploit can be used together
with Metasploit to provide additional modules that didn't make it into
the Metasploit trunk. Currently it contains very few modules, but in
time this should change if the modules will not be accepted as part of
the Metasploit trunk.

Whenever we're writing a module to automate something with Metasploit or
write an entirely new Metasploit module, we first need to contact the
Metasploit developers to find out if the module is eligible to be
included into the Metasploit trunk. Otherwise, we should add it to the Q
exploit pack to make all the non-accepted modules part of the same
repository.